Currently, the only way to query a protected API in CasualOS is to store the API key inside the inst data. Ideally, users will be able to query any API they desire, using an API key that is securely stored and managed by CasualOS. We call these cloud keys records.
Cloud key records are pretty similar data records. They have an address, markers, and a value. In this case, the value of the key is always a string. Additionally, cloud keys are able to be assigned a list of HTTP origins that they can be used for. They are encrypted by the key secret which is wrapped by the service secret.
[ ] Address
[ ] Markers
[ ] String Value
[ ] List of HTTP Origins (nullable)
The key secret is a secret that is unique to the key and is stored in the database. This secret is used to ensure that keys can only be decrypted by users who have access to the key. This secret is stored in an encrypted form encrypted by the service secret.
The service secret is a secret that is unique to the deployment of CasualOS and is ideally stored in a key management service. This secret is used to ensure that key secrets can only be decrypted by the CasualOS service itself.
[ ] Key is encrypted by key secret
[ ] Key secret is stored as encrypted by the service encrypted
If someone has access to the database, then they should not have access to the service secret.
In addition, cloud keys have a default marker of private, which means that the key is only able to be accessed by members of the studio or the owner of the record by default. For now. cloud keys cannot have the publicRead or publicWrite markers.
[ ] Cloud keys default to "private"
[ ] They cannot be assigned "publicRead" or "publicWrite" markers
Cloud keys also keep a audit log to help track who has accessed the key and what operations have been performed on it.
[ ] Cloud keys keep an audit log of operations and accesses
Here is a list of operations that can be performed for cloud keys:
[ ] recordCloudKey - Creates a new cloud key
os.recordCloudKey(recordName, keyName, key)
[ ] eraseCloudKey - Erases a cloud key
os.eraseCloudKey(recordName, keyName)
[ ] listCloudKeys - Lists cloud keys in a record
os.listCloudKeys(recordName, startingKeyName?)
[ ] getCloudKey - Gets the decrypted cloud key
os.getCloudKey(recordName, keyName)
[ ] listCloudKeyAuditLog - Lists the audit log for a cloud key
Currently, the only way to query a protected API in CasualOS is to store the API key inside the inst data. Ideally, users will be able to query any API they desire, using an API key that is securely stored and managed by CasualOS. We call these cloud keys records.
Cloud key records are pretty similar data records. They have an address, markers, and a value. In this case, the value of the key is always a string. Additionally, cloud keys are able to be assigned a list of HTTP origins that they can be used for. They are encrypted by the key secret which is wrapped by the service secret.
The key secret is a secret that is unique to the key and is stored in the database. This secret is used to ensure that keys can only be decrypted by users who have access to the key. This secret is stored in an encrypted form encrypted by the service secret.
The service secret is a secret that is unique to the deployment of CasualOS and is ideally stored in a key management service. This secret is used to ensure that key secrets can only be decrypted by the CasualOS service itself.
If someone has access to the database, then they should not have access to the service secret.
In addition, cloud keys have a default marker of
private
, which means that the key is only able to be accessed by members of the studio or the owner of the record by default. For now. cloud keys cannot have thepublicRead
orpublicWrite
markers.Cloud keys also keep a audit log to help track who has accessed the key and what operations have been performed on it.
Here is a list of operations that can be performed for cloud keys:
recordCloudKey
- Creates a new cloud keyos.recordCloudKey(recordName, keyName, key)
eraseCloudKey
- Erases a cloud keyos.eraseCloudKey(recordName, keyName)
listCloudKeys
- Lists cloud keys in a recordos.listCloudKeys(recordName, startingKeyName?)
getCloudKey
- Gets the decrypted cloud keyos.getCloudKey(recordName, keyName)
listCloudKeyAuditLog
- Lists the audit log for a cloud keyos.listCloudKeyAuditLog(recordName, keyName, startingKeyLogId?)
Finally, CasualOS should support proxying HTTP requests so that cloud keys can be injected into them.
proxyWebRequest
- Executes a HTTP request that is proxied through the CasualOS servers.web.proxy(options)
Example of proxying a web request with a cloud key: